General

  • Target

    346425230d5fe038e5ee5f9e35f9c45578facae0364d0e62b2bbd42bc0b3fbac

  • Size

    211KB

  • Sample

    220521-pmx97sffd2

  • MD5

    91206f2d2178e023ae6a647d5b39b6fd

  • SHA1

    b0e958f13a857316dd3757c4a2f12625319b65de

  • SHA256

    346425230d5fe038e5ee5f9e35f9c45578facae0364d0e62b2bbd42bc0b3fbac

  • SHA512

    010cd65a11fcbc0b38ab1e389a1d0e161284e54b8ac9c7b777f97ce8c14b7ec97f1a7ecabb76bbbf5f1b09d86f0f193a6b8120615030f1ca834550652cf63986

Malware Config

Extracted

Family

lokibot

C2

http://198.23.200.239/~boxing/.tcsogb/vc.php/53i9zXCT3LNPn

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      DHL_Receipt.AWB no 0904202076.exe

    • Size

      292KB

    • MD5

      bdcf110abccdcba43da2d92997384811

    • SHA1

      a14beb840ffbb875fcd23a102e30087fc0f03ea0

    • SHA256

      fc8bcf14b8dd3bd8f21c2453bd9de6a1e2f0f52e26641d5b398dbd1c67d1437b

    • SHA512

      d581141d59dbf62a4599c1d4d09f1383a9adc6b183c9a6ad52f89b23889b4f3f5554996f1c50907f7899c108c3bcdcb97907518212ecffbce69397f1e813c6db

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks